Glenn Brunette writes: > That is a non-starter for many of our customers who are looking for > unique credentials for each of their services -- especially those > that may be running under the same OS instance/zone. Not only does > this help with accountability (syslog and audit) but having unique > credentials will also help contain a compromise should one > (unprivileged) service be exploited. If you were running apache and > mysql (for example) as the same UID, a flaw (w/arbitrary code execution) > in one could lead to the direct compromise of the other running service. > Taking away proc_session from each service could help with this however.
Yes, I think LP is a better answer for limiting damage due to code flaws. The apache and mysql examples might not be the best ones -- those are cases where you do have related file permissions, and you'll probably want a UID just for that. -- James Carlson, Solaris Networking <james.d.carlson at sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
